Request and install certificate from a private CA

This topic describes how to request and install a trusted root security certificate for your appliance supplied by a private or internal certificate authority (CA). Trusted root certificates from a private CA are recommended only for proof of concept (PoC) tests.

To obtain a security certificate signed by a CA the first step is to create a certificate signing request (CSR) from the File Director appliance. You then submit the request data to your private CA. A certificate chain is required comprising the server certificate, the root, and chain (or intermediate) certificate(s). Once you obtain the signed certificates you will need to ensure they are each in the format required and then apply them to your File Director appliance.

In the case of trusted root certificates from private CAs, certificates must be installed within File Director in a particular order: firstly, the root certificate; then the chain certificate(s); and finally the server certificate.

The process is split into three key steps:

Create a CSR from the File Director appliance

Request certificates from your private CA

Apply certificate chain to the appliance

Prerequisites

You are using a private CA.

Your CA will provide a web server certificate chain in 2048-bit RSA certificates in Base64 PEM format.

Many private CAs are available and the precise instructions for requesting and configuring certificates will vary between authorities.

Example documented
To view specific instructions as an example, click the expandable headings in this topic. The example describes creating a certificate chain for a single web server using Microsoft Enterprise Certificate Authority on Windows Server. Your own configuration may include multiple servers - and will use your preferred private or internal CA.

Create a CSR from the File Director appliance

  1. From File Director Admin console, click Configuration > SSL Certificate.
  2. Expand the section Create a certificate signing request (CSR), and complete the following fields:
    • Host Name - The fully-qualified domain name of the server where the certificate will be installed.
      Note that wildcard domains can be specified with a * prefix.

      The host name does not have to match the appliance host name set in the appliance console. However, the host name you provide must match the FQDN on your DNS ’A’ records.

    • Company/Organization Name - The name of the organization requesting the certificate.
    • Organizational Unit - The division within the organization. For example, Engineering or Human Resources, or if applicable, the database administrator name for the organization.
    • City - The full name of the city where the organization is located. Do not use codes or abbreviations.
    • State/Province - The full name of the state or province where the organization is located. Do not use abbreviations or codes.
    • Country - The two digit ISO country code where the organization is located. For example, US, FR.
    • Email - The email address that will be a point of contact for the certificate request.
      Note, this email contact may be required at certificate renewal, or in case of technical issues.

  3. Click Create CSR.

    A text box displays the certificate request data.

    Certificate Signing Request

    Every time you use the Generate New CSR option, the unique server key is changed, making any previous certificates generated for this appliance invalid.

  4. Copy the CSR text including the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST tags, and save it as a TXT file. You will require the copied text in the next step.

Request certificates from your private CA

Having generated the certificate request, the next step is to go to your private CA and submit the certificate request.

Request server certificate

Note, the precise sequence of steps will vary between CAs.

1.In a web browser, navigate to your private CA: https://<your CA>/certsrv

2.Request a new certificate (or certificate renewal)

Ensure that the certificate request uses base 64 encoded CMC or PKCS #10 (.csr, .pem, .p10 format).

Alternatively, request a certificate renewal that uses base-64-encoded PKCS #7 file (.p7b or .p7c format)

3.Ensure that a web server certificate template and/or web server attributes are applied to your requested certificate

4.When prompted, paste the copied CSR text into the request text field.

5.Submit your request.

Request certificate chain

In addition to the server certificate, you must also retrieve the certificate chain. This is required to cover the certificate of the intermediate or root CA plus and any preceding certificates.

1.Return to your CA to request the certificate chain or CRL.

2.Ensure the certificate request uses Base64 encoded CMC or PKCS #10 format.

3.Download the CA certificate chain.

4.Save your certificate file(s) to the folder required.

Chain certificates downloaded in the PKCS#7 (or P7B) format comprise intermediate and root certificates bundled together. The certificate bundle must be converted to X.509 (or PEM) format to separate the intermediate and root certificates before they can be applied to the File Director appliance.

Apply certificate chain to the appliance

Install certificates

Root certificate

  1. Open the chain certificate file in a text editor, such as Notepad.
  2. Select the text from your root certificate. Include the BEGIN CERTIFICATE and END CERTIFICATE tags but ignore any other metadata included in the file. Copy the text to your clipboard.
  3. In the File Director Admin console, select Configuration > SSL Certificate.
  4. In the Install server certificate section paste the root certificate text into the text box.
  5. Ensure Root Certificate is selected as the Certificate Type and click Upload Certificate.

    A message will confirm that the certificate has been installed and prompts you to upload a chain or server certificate.

Chain Certificate

  1. Return to the chain certificate file in a text editor, such as Notepad.

  2. Select the text from your root certificate. Include the BEGIN CERTIFICATE and END CERTIFICATE tags but ignore any other metadata included in the file. Copy the text to your clipboard.

    If your certificate file contains more than one chain certificate, retain the BEGIN CERTIFICATE and END CERTIFICATE tags for each one and delete any metadata from between them. The text for all intermediate certificates, including the tags, can then be copied to the clipboard as a single file.

    Return to the File Director Admin console (SSL Certificate dialog), in the Install server certificate section paste the chain certificate text into the text box.

    Ensure Chain Certificate/Bundle is selected as the Certificate Type, and click Upload Certificate.

    A message will confirm that the chain certificate has been installed and prompts you to upload a server certificate.

Server Certificate

1.Locate the server certificate file downloaded previously (refer to Request server certificate above).

Open the certificate file in a text editor.

2.Copy the text for the server certificate to your clipboard. Include the BEGIN CERTIFICATE and END CERTIFICATE tags but ignore any other metadata included in the file.

3.In the File Director Admin console (SSL Certificate dialog), in the Install server certificate section paste the server certificate details into the text box .

4. Ensure Server Certificate is selected as the Certificate Type, then click Upload Certificate.

When all certificates have successfully installed, a notification message is displayed at the top of the SSL Certificate dialog confirming that the certificate has been enrolled.

To test the certificate, close and reopen the browser and connect to the Admin console using the fully qualified server name specified in the certificate. If the certificates are installed correctly, the browser connects securely without any security warnings.

We recommend that you back up the File Director appliance configuration snapshot.

Related topics

Trusted Root CA

Configure certificates

E.g. SAN certificate

E.g. Public CA

Upload an existing certificate